Google had some passwords stored in plaintext for more than a decade

The bug affects its business customers only, the tech giant said.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
2 min read
Google logo stickers

Plain to see.

Stephen Shankland/CNET

You might've tried your best to keep your passwords hidden, but a bug could've allowed Google employees to view those login credentials. 

In a blog post Tuesday, Google notified G Suite customers that some passwords were stored on its internal servers without any encryption -- meaning anyone who found them could read them in plain text. Suzanne Frey, Google Cloud Trust's vice president of engineering, said in the post that this bug affects only business users -- so if you're using Google for free, this doesn't affect you. 

"We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials," Google said.

Google is the latest tech giant to announce an issue with unhashed passwords stored on its internal servers. Hundreds of millions of Facebook passwords were stored on Facebook's internal servers, the social network said in March. In May 2018, Twitter also said a bug caused 330 million passwords to be stored in plaintext.

Standard security practice is to encrypt passwords stored on internal servers, so employees can't see and potentially abuse those login credentials. 

The G Suite bug affects only enterprise customers because back in 2005, administrators wanted tools to manually set and recover passwords. That tool stored a copy of the plaintext password, Google said. That bug lasted more than the last 14 years, the company revealed in its blog post. 

Google discovered a separate bug from this January, which stored passwords in plaintext for up to two weeks. The company said it has notified admins who are affected by these security issues.